Use Windows 7 Event Viewer to track down issues that cause slower boot times

Greg Shultz shows you how to use some of the new features in Windows 7's Event Viewer to investigate a slow boot time.

In last week's blog, "Better Troubleshooting Capabilities with Windows 7 Event Viewer," I introduced you to some of the new features in Microsoft Windows 7's Event Viewer and told you that these new features make the new tool far superior to its XP predecessor. As I mentioned, in addition to the new interface, Microsoft designed Windows 7's Event Viewer to provide you with more meaningful, actionable, and well-documented events in order to provide better information for troubleshooting. Recently, I had an opportunity to put Windows 7's Event Viewer to the test.

A friend mentioned that his one-year-old Windows 7 system was taking much longer to boot than it used to. I explained to him that Microsoft had done a lot of work to make Windows 7 boot up much faster than previous versions of the operating system but that slightly slower boot times were inevitable. As you add more applications and utilities, it will, of course, take a bit longer to boot up the system.

While my friend agreed with that statement, he was adamant that his system was taking much longer to boot up than was acceptable -- he estimated that on a regular basis it was taking close to two minutes to boot up! While that might have been more common during the Windows 2000 or XP eras, I agreed that what he was enduring was probably longer than it should have been. (Keep in mind that there are hundreds of variables that can come into play that affect boot time, such as processor speed, memory speed, hard disk speed, as well as the types of applications and drivers that run during startup.)

I arranged to go over to his place and help him troubleshoot and fix his slow-booting Windows 7 system. As it turned out, it was a pretty simple procedure, and we had his system booting up much quicker in no time at all. All I had to do was delve into Windows 7's Event Viewer, tap in to the correct log, and create a Custom View to ferret out the correct Event IDs, and then the problem and solution became readily apparent.

In this edition of the Windows Desktop Report, I'll show you how to use some of the new features in Windows 7's Event Viewer to investigate the boot time and track down issues that can cause a slowdown in the boot process.

Overview

Windows 7's Event Viewer includes a new category of event logs called Applications and Services Logs, which includes a whole host of subcategories that track key elements of the operating system. The majority of these subcategories contain an event log type called Operational that is designed to track events that can be used for analyzing and diagnosing problems. (Other event log types that can be found in these subcategories are Admin, Analytic, and Debug; however, describing them is beyond the scope of this article.)

Now, within the operating system section is a subcategory titled Diagnostic-Performance with an Operational log that contains a set of a Task Category called Boot Performance Monitoring. The Event IDs in this category are 100 through 110. By investigating all the Event ID 100 events, you will be able to find out exactly how long it took to boot up your system every time since the day you installed Windows 7. By investigating all the Event ID 101 thru 110 events, you will be able to identify all instances where boot time slowed down.

Getting started

You can find and launch Event Viewer by opening the Control Panel, accessing the System and Security category, selecting the Administrative Tools item, and double-clicking the Event Viewer icon. However, you can also simply click the Start button, type Event in the Start Search box, and press Enter once Event Viewer appears and the top of the results display.

Creating a Custom View

Once you have Event Viewer up and running, you can, of course, drill down through the Applications and Services Logs and locate the Diagnostic-Performance Operational log and begin manually looking through the events recorded in the log. However, you can save yourself time and energy by taking advantage of the new Custom View feature, which is essentially a filter that you can create and save.

To do so, pull down the Action menu and select the Create Custom View command. When you see the Create Custom View dialog box, leave the Logged option set at the default value of Any Time and select all the Event level check boxes. Next, select the By Log option button, if it is not already selected, and click the dropdown arrow. Then, drill down through the tree following the path: Applications and Services Logs | Microsoft | Windows | Diagnostics-Performance. When you open the Diagnostics-Performance branch, select the Operational check box, as shown in Figure A.

Figure A

When you get to the Diagnostics-Performance branch, select the Operational check box.

To continue, type 100 in the Includes/Excludes Event IDs box, as shown in Figure B, and then click OK.

Figure B

Event ID 100 records how long it takes to boot up your system.

When you see the Save Filter to Custom View dialog box, enter a name, as shown in Figure C, and click OK.

Figure C

To save the filter as a Custom View, simply provide an appropriate name, such as Boot Time.

You'll now repeat these steps and create another Custom View, and this time, you'll type 101-110 in the Includes/Excludes Event IDs box and name it Boot Degradation.

Investigating Boot Time

To investigate your Windows 7 system's boot time, select Boot Time in the Custom Views tree and then sort the Date and Time column in ascending order. When you do, you'll see a complete history of every time you have booted your system since the day you installed Windows 7. In Figure D, you can see that I have hidden the Console Tree and the Action Pane to focus on the events.

Figure D

By sorting the Date and Time column in ascending order, you'll see a complete history of every time you have booted your system since the day you installed Windows 7.

As you can see, the first recorded Boot Time on my sample system was 67479 milliseconds in October 2009. Dividing by 1,000 tells me that it took around 67 seconds to boot up. Of course, this was the first time, and a lot was going on right after installation. For example, drivers were being installed, startup programs were being initialized, and the SuperFetch cache was being built. By December 2009 the average boot time was around 37 seconds.

In any case, by using the Boot Time Custom View, you can scroll through every boot time recorded on your system. Of course, keep in mind that there will be normal occurrences that may lengthen the boot time, such as when updates, drivers, and software is installed.

Now, if you click the Details tab, you'll see the entire boot process broken down in an incredible amount of detail, as shown in Figure E. (You can find more information about the boot process in the "Windows On/Off Transition Performance Analysis" white paper.) However, for the purposes of tracking the boot time, we can focus on just three of the values listed on the Details tab.

Figure E

The Details tab contains an incredible amount of detail on the boot time.

MainPathBootTime

MainPathBootTime represents the amount of time that elapses between the time the animated Windows logo first appears on the screen and the time that the desktop appears. Keep in mind that even though the system is usable at this point, Windows is still working in the background loading low-priority tasks.

BootPostBootTime

BootPostBootTime represents the amount of time that elapses between the time that the desktop appears and the time that you can actually begin using the system.

BootTime

Of course, BootTime is the same value that on the General tab is called Boot Duration. This number is the sum of MainPathBootTime and BootPostBootTime. Something that I didn't tell you before is that Microsoft indicates that your actual boot time is about 10 seconds less that the recorded BootTime. The reason is that it usually takes about 10 seconds for the system to reach an 80-percent idle measurement at which time the BootPostBootTime measurement is recorded.

Investigating Boot Degradation

To investigate instances that cause Windows 7 system's boot time to slow down, select Boot Degradation in the Custom Views tree and then sort Event ID column in ascending order. Each Event ID, 101 through 110, represents a different type of situation that causes degradation of the boot time.

While there are ten different Event IDs here, not all of them occur on all systems and under all circumstances. As such, I'll focus on the most common ones that I have encountered and explain some possible solutions.

Event ID 101

Event ID 101 indicates that an application took longer than usual to start up. This is typically the result of an update of some sort. As you can see in Figure F, the AVG Resident Shield Service took longer than usual to start up right after an update to the virus database. If you look at the details, you can see that it took about 15 seconds for the application to load (Total Time), and that is about 9 seconds longer than it normally takes (Degradation Time).

Figure F

Event ID 101 indicates that an application took longer than usual to start up.

An occasional degradation is pretty normal; however, if you find that a particular application is being reported on a regular basis or has a large degradation time, chances are that there is a problem of some sort. As such, you may want to look for an updated version, uninstall and reinstall the application, uninstall and stop using the application, or maybe find an alternative.

(In the case of my friend's Windows 7 system, there were several applications that were identified by Event ID 101 as the cause of his system slowdown. Uninstalling them was the solution, and he is currently seeking alternatives.)

Event ID 102

Event ID 102 indicates that a driver took longer to initialize. Again, this could be the result of an update. However, if it occurs regularly for a certain driver or has a large degradation time, you should definitely look in to a newer version of the driver. If a new version is not available, you should uninstall and reinstall the driver.

Event ID 103

Event ID 103 indicates that a service took longer than expected to start up, as shown in Figure G.

Figure G

Event ID 103 indicates that a service took longer than expected to start up.

Services can occasionally take longer to start up, but they shouldn't do so on a regular basis. If you encounter a service that is regularly having problems, you can go to the Services tool and experiment with changing the Startup type to Automatic (Delayed Start) or Manual.

Event ID 106

Event ID 106 indicates that a background optimization operation took longer to complete. On all the Windows 7 systems that I investigated, this event identified the BackgroundPrefetchTime as the culprit, as shown in Figure H. Since the Prefetch cache is a work in progress, this should not really represent a problem.

Figure H

Event ID 106 indicates that a background optimization operation took longer to complete.

If you encounter regular or long degradation times related to Prefetch, you may want to investigate clearing this cache and allowing the operating system to rebuild it from scratch. However bear in mind that doing so can be tricky and instructions on doing so are beyond the scope of this article.

Event ID 109

Event ID 109 indicates that a device took longer to initialize. Again, if this is happening occasionally, there shouldn't be anything to worry about. But if it is occurring regularly, you should make sure that you regularly back up your hard disk and begin investigating replacing the device in question.

What's your take?

In addition to providing improved performance and a new user interface, Windows 7's Event Viewer provides you with the ability to investigate boot time and problems that cause boot degradation. Have you used Windows 7's Event Viewer to investigate boot problems? Have you encountered other Event IDs in the 101 to 110 range that I didn't describe? If so, what were they? As always, if you have comments or information to share about this topic, please take a moment to drop by the TechRepublic Community Forums and let us hear from you.

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!

About Greg Shultz

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

Full Bio

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

I followed the article and track down the issues and created boot time and boot degradation and deleted . Now tha problem i am facing is that when i start my laptop local drive c shows 5gb which needed to 48gb and "RESTART" it shows 46gb free space .it is quite annoying PLEASE HELP

Decided this weekend to find out what (occasionally) causes my system to take 5-7 minutes to boot up. Thanks to your article, I found a driver taking 304K ms to initialize - for a program I no longer use.

Hey Greg?thanks for sharing these tips on Windows Event Viewer. This is a great way to investigate what is causing slow boot up time. I?m curious, once you found out why your friend?s boot process slowed down, what did you do to solve the problem?

Very good article and very insightful for conducting troubleshooting on slow booting systems. Too bad you didn't have the space to cover all of the Event ID's (I personally have some "110"s and Google hasn't been much help so far in tracking down the information similar to what you provide in this article on the Event IDs you do address (I'm finding all kinds of sites that cover "110", but most of them address specific apps rather than "boot degradation").
Thank you for sharing you knowledge through your articles.

Hi This is what I encountered:
Event Id-107
Application of machine policy caused a slow down in the system start up process:
Name : MachinePolicyApplication
Total Time : 1581ms
Degradation Time : 1036ms
Event Id-108
Application of user policy caused a slow down in the system start up process:
Name : PreShellInit
Total Time : 8535ms
Degradation Time : 4535ms
Event Id-110
Session manager initialization caused a slow down in the startup process:
Name : SMSSInit
Total Time : 17341ms
Degradation Time : 9192ms

Based on the Boot Time view, it looks like my average boot time for 64-bit Win7 Ultimate is about 2 minutes, and has been so from the get-go. Based on Boot Degradation view, there are occasional 101 or 102 events, but they don't occur daily, the associated application or driver varies, and the associated delays are fairly insignificant. That being the case, what other events might reveal sources of boot delay? Also, for Boot Time view, many of the 100 events have Critical level -- where are the details that explain that categorization.

I found this article very interesting as I was having longer than usual boot times. When I opened the Custom View Boot Time I was alarmed to see most of my event levels were "Critical" as opposed to the "Error" level discussed. All of these "Critical" level indicated IsDegradation: "false". I would have been interested if this issue had been covered in the article.

An excellent article Greg,
I have encountered 107 - giving typical degredations of 1 second and associated with the MachinePolicyApplication and also 108 with delays of between 1 and 3 seconds associated with the PreShellInit
GT (RACD)
Retired from Active Computer Diagnostics

My Win 7 x64 machine will not go to sleep automatically and sometimes will not wake up again - I have to do a hard reset to bring it back. Are there particular event logs I can check to look for the source of these issues?

Has the boot time of your PC grown inexplicably lately? Have you used Windows 7's Event Viewer to investigate boot problems? Have you encountered other Event IDs in the 101 to 110 range that I didn't describe? If so, what were they?

...(In the case of my friend?s Windows 7 system, there were several applications that were identified by Event ID 101 as the cause of his system slowdown. Uninstalling them was the solution, and he is currently seeking alternatives.)

..any detail on the IsDegradation item nor draw a conclusion between the False and True listings.
However, regardless if it is marked as a Warning or a Error level, what you need to determine is the pattern...
Are they ocurring on a regular basis?
If so, do any of the example problem/solutions that I presented in the article appear to make sense in your situation...

Hello,
My system takes somewhere close to 5 min before it is usable. I see no errors or events in my logs after 2/22/10. I do have several things disabled one being the Diagnosis scheduled task. Anyone know if that task creates these log entries? It was disabled to fix the issue with network shortcut icons being deleted when it ran.

Regularly cleaning the registry with a registry cleaner ( Glary, for one ) will substantially help. Stopping all programs (that windows doesn't need to boot)in the auto run folder ( if you have a registry cleaner other than Glary like RFA 32 bit) will also help.

...not sure why the logs wouldn't have recorded activity, but pretty sure that Diagnosis scheduled task doesn't have anything to do with it.
Since you provide no detail, I have to ask the obvoious: Are you sure that you are looking at the correct logs?

I did that yesterday and went through 4 reboots without it appearing. This morning one finaly appeared. Maybe it was busy doing cleanup after being disabled for so long. It only shows one entry, not sure if it will eventualy show more after it collects for a while?

... make sure that the Diagnostic Policy Service is set to Automatic and reboot your system.
The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics will no longer function.

There are entries until 2/10 so I assume I'm in the right place. I've compared to another recently setup system and haven't found a difference in startup programs/services but it has the entries. Any idea what service/app is collecting the data for this log? Just the Windows event log service?